35+ Years of Freedom of Information Action

Cyber Brief: Election System Security

Published: Feb 28, 2018

Edited by Michael Martelle

While election interference using the information space continues to demand attention, today’s posting examines questions related to the security of election systems themselves.

New to the Cyber Vault

From the Cyber Vault

Pennsylvania State University, University of Pennsylvania, and Web Wise Security, EVEREST: Evaluation and Validation of Election-Related Equipment, Standards and Testing, December 7, 2007. Not classified.

The goal of this review, commissioned by Ohio's Secretary of State, was to assess the security of electronic voting systems used in Ohio, and to identify procedures that might eliminate or mitigate any problems that were discovered. The review discovered that "all of the studied systems possess critical security failures that render their technical controls insufficient to guarantee a trustworthy election."

Jennifer L. Brunner, Ohio Secretary of State, Project EVEREST: Evaluation and Validation of Election Related Equipment Standards and Testing - Report of Findings, December 14, 2007. Not classified.

This document is the Ohio Secretary of State's report which followed the Project EVEREST technical report of December 7 relating to election equipment. It discusses the effort's objectives, Ohio's involvement in the use of electronic voting machines, the structure of the EVEREST study, the security assessment, as well as several other topics - including the Secretary of State's recommendations.

United States Election Assistance Commission, Voluntary Voting System Guidelines (Volume 1, Version 1.1), 2015. Unclassified.

This document provides requirements for voting systems.

United States Election Assistance Commission, Voluntary Voting System Guidelines (Volume 2, Version 1.1), 2015. Unclassified.

This document provides testing guidelines for voting systems.

Cyber Division, Federal Bureau of Investigation, "Targeting Activity Against State Board of Election Systems," August 18, 2016. Unclassified.

This FBI alert states that the election boards of two unidentified states (but reported to be Arizona and Illinois) had been subject to cyber intrusions. One compromised a web site while the other compromised a "Board of Election system." The alert specifies IP addresses associated with the intrusions and provides recommended precautions.

Department of Homeland Security, IA-0213-16, Cyber Threats and Vulnerabilities to US Election Infrastructure, September 20, 2016. Unclassified/For Official Use Only.

This intelligence assessment focuses on cyber threats to computer-enabled US election infrastructure. It notes the absence of indications that there were plans to use cyber operations to change the outcome of the US election but that cyber criminals were likely to continue targeting personally identifiable information.

Director of National Intelligence, "Joint DHS and ODNI Election Security Statement," October 7, 2016. Unclassified.

This joint statement from the DNI and Department of Homeland Security reports that the United States Intelligence Community "is confident that the Russian Government directed the recent compromise e-mails from U.S. persons and institutions, including US political organizations." It goes on to state some of the reasons for that conclusion. In addition, it discusses cyber incidents related to state election computer systems.

Claire McCaskill, Senate Committee on Homeland Security and Governmental Affairs, Letter to Honorable John Kelly, Secretary of Homeland Security, March 7, 2017. Unclassified.

This letter poses ten questions to the Secretary of Homeland Security with regard to the Obama administration's designation of election infrastructure as a critical infrastructure subsector within the Government Facilities Sector - including whether the Trump administration would continue the designation and what assistance and tools the Department of Homeland Security could provide to state, local, tribal, and territorial governments.

National Association of Secretaries of State, "BRIEFING: Key Facts and Findings on Cybersecurity and Foreign Targeting of the 2016 U.S. Elections," March 20, 2017.

This two-page briefing on foreign cyber activity and the 2016 U.S. elections makes five points, which concern reports or assertions concerning the "hacking" of the presidential election, Russian intrusions into state and local election boards, attempted intrusions into state and local boards, Department of Homeland Security assistance to the states, and current safeguards and plans to improve those safeguards.

Connie Lawson, Indiana Secretary of State, "Russian Interference in the 2016 U.S. Elections," June 21, 2017. Unclassified.

In her testimony before the Senate Select Committee on Intelligence, Indiana's Secretary of State addresses foreign targeting of state and local election systems, protecting state and local elections from cyber threats, the uniqueness of elections as critical infrastructure, and preparations for the 2018 election cycle.

Jeannette Manfra, Acting Deputy Under Secretary for Cybersecurity and Communications, Department of Homeland Security and Samuel Liles, Acting Director, Cyber Division, Department of Homeland Security, Testimony before the Senate Select Committee on Intelligence, "Assessing Threats to Election Infrastructure," June 21, 2017. Unclassified.

In their joint testimony, these two homeland security officials discuss recent assessments of the cyber threat to U.S. political processes, including elections, and enhancing security for future elections.

DEFCON, DEFCON 25 Voting Machine Hacking Village: Report on Cyber Vulnerabilities in US Election Equipment, Databases, and Infrastructure, September 2017. Unclassified.

This document reports findings from the DEFCON Voting Machine Hacking Village in which every piece of equipment was breached by the end of the conference.